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(TS//SI//REL) Only R&T Analysts can submit QUANTUMTHEORY Tasking to the 
QUANTUM team, TOPI Analysts can submit QUANTUMNATION Tasking through 
Target Profiler. The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COMMONDEER) and QUANTUMNATION deploys a 
stageO implant called SEASGNEDMOTH (SMOTH). SMOTHs die within 30 days of 
deployment unless requested to extend the fife, 

(TS//SI//REL) This presentation does not cover FAA QUANTUM, but if you identify an 
active selector, compare the SIGAD in Marina to the SIGAD on the GO QUANTUM wiki 
page to see if FAA QUANTUM is an option. 

(TS//SI//REL) This presentation is geared towards targets seen at US- , If you are 
unfamiliar with this SIGAD, it is equivalent to a TS//NF SIGAD that cannot be 
mentioned in this PowerPoint. You can contact the POC of this brief for more 
information. 
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Web Browsing (Exploit with QUANTUM 

• The concept man-on-the-side) 

* QUANTUM is a man-on-the-side capability. If your target has a selector 
that is active in the last 14 days, vulnerable to the QUANTUM technique, 
and seen by an SSO site that has QUANTUM capabilities, then there might 
be the opportunity to detect that communication in real-time and piggy 
back with the requested content back into the target's network and 
implant the host. 

* QUANTUMTMEORY can be used only if a TAO Project is set up (must 

coordinate with your R&T Analyst) 

* QUANTUM NATION can be used regardless of a TAO Project (TOPI does the 
tasking in Target Profiler) 

* The biggest difference is QUANTUMTHEORY deploys a stagel implant 
called VALIDATOR (soon to be COM MON DEER) and QUANTUM NATION 
deploys a stageO implant called SEASONEDMOTH (5MOTH). SMOTHs die 
within 30 days of deployment unless requested to extend the life. The 
exploit technique is the same. 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




SSO Site 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1. Target togs into his 
Yahoo account 

% 

Target 



Internet Router 






Yahoo’s 
Web Server 



SSO Site 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



1. Target logs into his 




SSO Site 



2 . SSO site sees, the 
QUANTUM tasked Yahoo 
selector’s packet and forwards 
it to TAO's FOXAGID Server 




Yahoo’s 
Web Server 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How it Works 

4. Yahoo server receives the 
packet requesting email content 




Target l web s 6rver 




TAO FOXACID 



Server 

3. FGXACtD injects a FOXACfD Ltrt 
into the packet and sends it hack to 
the target's computer 




SPIEGEL ONLINE 



TOP SECRET//S1//REL USA, AUS. CAN, GBR, NZL 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 



— » 
X j 

Target 

5. TGXACID packet beats the 
Yahoo packet back to Hie 






Internet Router 



* 




Yahoo’s 
Web Server 




TAO POXACID 
Server 



* 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



6. The targets Yahoo webpage is 
loaded but in the background the 
FOXAC1D URL loads which 



redirects to the FOXACID Exploit 
Server 

\ 



\ 



Internet Router 




SSG Site 




Yahoo’s 

Webserver 




TAO POXACID 
Server 
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What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



Internet Router 




SSO Site 




Yahoo’s 



Web Server 




TAO F OXACID 
Server 



7 . If the browser is exploitable 
and the PSP is safe, FOXACiD 
deploys a Stage 1 implant back 
to the target 




SPIEGEL ONLINE 




TOP SECRETf/SIHRELUSA, AUS, CAN, GBR, NZL 



What is QUANTUM? 

QUANTUM Generic Animation - High Level of How It Works 




Target 



Target Implanted! 




Internet Router 




SSO Site 




Yahoo’s 
Web Server 




TAO F OXACID 
Server 



7 If the browser js exploitable 
and the PSP is safe, FOXACID 
deploys a Stage 1 implant back 
to the target 

1 

f 
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QUANTUM Capabilities - NSA 

(TS//SI//REL) NSA QUANTUM has the greatest success against <yahoo>, <facebook>, 
and Static IP Addresses. New QUANTUM realms are often changing, so check the GO 
quantu m wiki page or the QUANTUM Spy Space page to get more up-to-date news. 



NSA QUANTUM is capable of targeting the following realms: 



• 


* IPv4_public 


• mailruMrcu 


• 


• alibabaForumUser • msnMailToken64 


* 


• doubled icki D 


* qq 


• 


* emailAddr 


• facebook 


* 


* rocketmail 


• simbarUuid 


• 


• hiSUid 


• twitter 


• 


* hotmailCID 


* yahoo 


* 


* linkedin * 


yahooBcookie 


• 


* mail * 


ymail 


* 


* mailruMrcu 


• youTube 


* 


* msnMailToken64 • WatcherlD 
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QUANTUMTHEORY - GCHQ 

If a Partnering Agreement Form (PAF) is set up with GCHQ for 
the CNO project, then the R&T Analyst can utilize GCHQ 
QUANTUMTHEORY to include additional capabilities such as: 

• * ALIBABA * AOL 

• * BEBO_EMAIL * DOUBLECLICK 

• • FACEBOOKCUSER • GOOGLE_PREFID 

• * GMAIL • HI5 

• • HOTMAIL • LINKEDIN 

• * MAILRU • MICROSOFT_MUID 

• • MICROSOFT_ANONA • RAMBLER 

• • RADIUS • SIMBAR 

• * TWITTER • YAHOO_B 

• • YAHOO_L/Y • YANDEX_EMAIL 

• • YOUTUBE • IP Address 

More information on: https://wiki.gchq/ /QUANTUM BISCUIT 

If you cannot get to the link try: http:// 
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QUANTUM SIGDEV - QFDs 

(TS//SI//REL) Find all Selectors associated to your target (Yahoo, 
Yahoo B Cookies, Facebook, Hotmail, etc) usinq Marina, NSA or 
GCHQ QFDs. 

NSA SATC QFDs: 



AITEREGO QFD: 

GCHC 



■ ft U I 



Queried Selector 







Alternate Selector 






Queried 


Alternate Intersection 


Scare 


Selects 


Selector 


11-100) 


Degree 


Degree 




4 


5 l 


40 









e 



50 



<iCue.i£4> 



< J v-dbfM> 
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SI 59 



DOGCOLLAR QFD: 

s«l«ctor Him Enrich iMVAe Obfenrxims FrtdtirD* iHtfcMDa* 

-Moot N 5&11 UK 125 IhVMA 4013 / 03/21 



Skip to Step 5 once you have all of your selectors,*. 
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QUANTUM SIGDEV- Marina 

Step 1 ; Skip to Step 5 if you used the QFDs to iden tify alternate selectors 

< (TS//SI//REL) If you do not use the GCHQ or NSA QFDs you can use Marina. Run a 
Marina Selector/ldentifier Profile (Federated) search for a 3 month range to look for 
additional selectors. 
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* (TS//SI//REL) Once the query finishes, look at the Equivalent IDs section. This will show 
you other selectors that your target is using. This is determined by linking content 
(logins/email registrations/etc). It is worth verifying that these are indeed selectors 
associated to your target. NSA quantum works best against <yahoo> and 
<facebook>. Although, it is worth making note of a <gm.ail> selector for possible GCHQ 
QUANTUM support or for your own notes. 



Selector Summary: 1 b 



Cam Plmtnt: Q 



EquWdli^il IDs; S 



New Selector 



Known Selector 
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v 

> 

I 

; 4 (TS//SS//REL) if your search was on a <yahoo> email address, then click on Machine 

IDs and look for a recent <yahooBcQokie>, YahooBcookie r s are unique to a specific 
computer and can hold other <yahoo> addresses that are being logged into on that 
computer as long as the user does not clear browser cookies. If you see multiple 
<yahooBcookie> pick the most recent Last Heard date. Also higher the Num Heard is, 
the more likely that selector does not change. 
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U nique Selectors Fguird: 

(Known Selector) 

7 @gmafl.com<google> 

n imm <yah00Bcookie> (New Selector) 




SPIEGEL ONLINE 



TOP SECRET/;SI//REL USA* AUS, CAN, GBR, NZL 






New <goOg[e> selector 
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(TS//SI//REL) Since @gmaiLcom<google> is a new selector, you will want to 

do a Marina Selector Profile query on it to see if there are additional accounts 
associated to the target. Remember NSA QUANTUM cannot target the <googfe> 
selector, 



(TS//SI//REL) 
You can do 
this by 

clicking on the 
selector, scroll 
down to Selector 
Profile, and dick 
Range. 



,■ Equivivlent IDs: 4 ^4 
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« (TS//SI//REL) Change the query to search for the fast 3 Months and click SUBMIT 

^ Selector Profile Search k. 

Selector ProfUe 



Starch Name: 


Selector PiufSa 






idS .com c goDgfe> ] 




Xettflcatlon: 








”t art D:>%: 


2D11111D n 
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1 (TS//SI//REL) Once the query finishes, look at the Equivalent IDs section and make 
note of any new <yahoo> 3 <hotmail>, <yahooBcookie> r and <facebook> selectors and 
do the same process to identify additional selectors. 



i qiiivnlfRi IDs: 
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All Unique Selectors Found From Both Searches: 
i <yaboc> (Known Selector 

) 

@g mail. com <google> (N* ■ 

i <yahooBcookie> (New Selector) 
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(TS//SI//REL) Once you have a list of your selectors), you will want to look at each one 
separately to check for the likelihood of successfully exploiting your tarqet via NSA 
QUANTUM. We are checking to see if the target itself is seen at US- and if it is active. 

(TS//SI//REL) First we want to run a Marina Active User/Presence (Federated) search on 

<facebook> for the past 14 days. 
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if you have OVSC1700, check this 
box to search GCHQ databases 
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4 (TS//SI//REL) You wifi either have results or not have results. The key is to look at the 
SIGAD for the results and if the SIGAD is capable of doing QUANTUM then you most 
likely have a vulnerable target! To check for SIGADs that MSA and GCHQ QUANTUM 
can target, type GO quantum in your browser, if GCHQ QUANTUM is needed, then 
work with your R&T Analyst to follow the appropriate steps on the wiki to set up a PAR 

4 (TS//SI//REL) You wifi want to look at the Marina results and make note of the most 
frequent SIGAD HP CIDR for each Active User/Presence (Federated) query 

1) Selector 

a) SIGAD 

b) Active User IP CIDR - The CIDR will be added to the TLN f s Whitelist. 

“A TLISTs WhEtefist is a list containing the IP CIDRs your target uses. It is where the 

FGXACID server will only continue with exploitation if the external IP Address of 
the target/redirection is on the Whitelist for the TLN your R&T Analyst requests, 
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Is My Selector Tasked for 

QUANTUM? 

If you sent your R&T analyst a selector to task for 
QUANTUMTHEORY and you want to see if it has been tasked yet, 
you can enter the selector in Target Profiler and if you see "tasked 
for survey" and the Technique to be QUANTUMTHEORY or 
QUANTUM NATION then it is tasked! You can also see when the last 
FOXACID redirection took place. 

<yahOO> receive d email #> ^OlJ-Aur-Ql 11:U8;3 I l g 



Jjt V'JtnfcT.shl*- 
Q tasked fcf survey 

a 



o 



Tari 
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Technique; QUANTUMTHEORY 

Talked; J012-Det-£6 

La* t Attempt: 2013-MafOl l^ail) 
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QUANTUMNATION 

QUANTUM NATION uses new TAO CNE tradecraft and automation to drive broad 
scale initial access, specifically an SSG cloud-analytic to identify selectors in SSO 
passive collection that are viable for end-point access, and the use of lightweight 
CNE implants to obtain initial access and survey data delivered to the TOPI offices 
via corporate SiGINT repositories. For More Information on QUANTUMNATION check 
the QUANTUMNATION wiki page 

Target Profiler now shows if a selector is vulnerable to a QUANTUM exploit. If your 
target is valid for QUANTUMNATION, A "Vulnerable" link in Target Profiler wifi 
appear. Simply click the link that sends an email to request QUANTUMNATION 
tasking. 
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Note: QUANTUMNATION and standard QUANTUM tasking results in the same 
exploitation technique. The main difference is QUANTUMNATION deploys a stage 0 
implant and is able to be submitted by the TOPI. Any ios device will always get 
VALIDATOR deployed. 
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) 



1 (TS//SI//REL) Once you have a selector, SiGAD, and IP CIDR, you are ready to start 
the process for a FOXACID TLN and Tag request, 

4 (TS//SI//REL) Depending on the teams, either an R&T analyst or the Branch Chief can 
create a TLN (Twisty Lobby Number), Contact your Branch chief for information on 
creating a TLN for each selector you want to target 

4 (TS//SI//REL) Note: You will need 1 TLN and 1 FOXACID Tag per selector you task with 
QUANTUM, 
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Step 8; 

« (TS//SI//REL) Once you have a TLN, you will need to submit a FOXACID Tag request. 

^ (TS//S I//R E L) Go to h icps :l n $a/ eg i- h i rV a nd fit I out th e ap propriate 

information in the top and within the body of the ticket update this information accordingly. Here is an exarnple; 

■ GTor NOO-CT; Non-CT 
Second Party/ Partnering: No 
Country Reqion/Ty pe: ■ 

No 

Type of Op: QUANTUM 

yjtem : ^eilno 

TLN: 12345 ° Insert Your TLN 

- IP Range: ° Insert Your Active User IP CIDR I WHITEUST 

MAC Addre s ses: Unknown 

E&taLBmussia&vaE 

Start DateL201 30401 

- 

MSQ Support: No 
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A (TS//SI//REL) Once the ticket is completed, you will receive an email with the FOXACID 
Tag tor your TLN. 

1 (TS//SI//REL) Go to https:// .nsa.ic.gov, /index.php and 

fill out the appropriate information in the form to task your selector and tag for 
QUANTUM. 

4 (TS//SI//REL) Once your selector is tasked for QUANTUM you will see the status 
changed to complete. 

4 (TS//SI//REL) The last step it to monitor the TLN in FOXSEARCH 

https://pagB9p.nsa *a*a*aa»»awaag*wBi m to look for 
redirections and update the plugins or WHITE LIST if needed, 

4 (TS//SI//REL) De-task your QUANTUM request when you hook your target! 
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4 if yoi^iav^ny questions or comments about this presentation, please send an email 
to HH at ■^■@nsa ,ic .gov 



